Working with Route Tables

Your cloud network uses virtual route tables to send traffic out of the VCN (for example, to the Internet or to your on-premises network). These virtual route tables have rules that look and act like traditional network route rules you might already be familiar with. Each rule specifies a destination CIDR block and the target (the next hop) for any traffic that matches that CIDR.

When routing traffic, Oracle uses a subnet's route table only if the destination IP address is not within the VCN's CIDR block. No route rules are required in order to enable traffic within the VCN itself.

If a route table has overlapping rules, Oracle uses the most specific rule in the table to route the traffic (that is, the rule with the longest prefix match).

If there is no route rule that matches the network traffic you intend to route outside the VCN, it will be dropped (blackholed).

Here are the allowed types of targets for a route rule:

internet gateway: Use this target with a public subnet that needs access to the internet.

Each VCN automatically comes with a default route table that has no rules. If you don't specify otherwise, every subnet uses the VCN's default route table. When you add route rules to your VCN, you can simply add them to the default table if that suits your needs. However, if you need both a public subnet and a private subnet (for example, see Scenario C: Public and Private Subnets with a VPN), you instead create a separate route table for each subnet.

Each subnet in a VCN uses a single route table. When you create the subnet, you specify which one to use. You can't change which route table a subnet uses after the subnet is created, so make sure to create the route table before creating the subnet. However, remember that you can also change a table's rules.

You may optionally assign a friendly name to the route table during creation. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the route table a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.

To delete a route table, it must not be associated with a subnet yet. You can't delete a VCN's default route table.

For information about the maximum number of route tables and route rules, see Service Limits.

Using a Private IP as a Route Target

If you're not familiar with the definition of a private IP, see Private IP Addresses. In short: a private IP is an object that contains a private IP address and related properties and has its own OCID.

General Use Cases

You can use a private IP as the target of a route rule in situations where you want to route a subnet's traffic to another instance. Here are a few reasons you might do this:

To implement Network Address Translation (NAT) in the VCN, which enables outbound internet access for instances that don't have direct internet connectivity.

To implement a virtual network function (such as a firewall or intrusion detection) that filters outgoing traffic from instances.

To manage an overlay network on the VCN, which lets you run container orchestration workloads.

To implement these use cases, there's more to do than simply route traffic to the instance. There's also configuration required on the instance itself.

Requirements for Using a Private IP as a Target

The private IP must be in the same VCN as the route table.

The private IP's VNIC must be configured to skip the source/destination check so that the VNIC can forward traffic. By default, VNICs are configured to perform the check. For more information, see Source/Destination Check.

The route rule must specify the OCID of the private IP as the target, and not the IP address itself. Exception: If you use the Console, you can instead specify the private IP address itself as the target, and the Console determines and uses the corresponding OCID in the rule.

A route rule with a private IP target can result in blackholing in these cases:

The instance the private IP is assigned to is stopped or terminated

The VNIC the private IP is assigned to is updated to enable the source/destination check or is deleted

The private IP is unassigned from the VNIC

When a target private IP is terminated, in the Console, the route rule displays a note that the target OCID no longer exists.

For failover: If your target instance is terminated before you can move the secondary private IP to a standby, you must update the route rule to use the OCID of the new target private IP on the standby. The rule uses the target's OCID and not the private IP address itself.

General Setup Process

Determine which instance will receive and forward the traffic (the NAT instance, for example).

Choose a private IP on the instance (can be on the instance's primary VNIC or a secondary VNIC). If you want to implement failover, set up a secondary private IP on one of the VNICs on the instance.

Destination CIDR block: If all traffic leaving the subnet needs to go to the private IP, use 0.0.0.0/0.

Target type: Private IP.

Compartment: The compartment of the private IP.

Target: The OCID of the private IP. If you're using the Console and instead enter the private IP address itself, the Console determines the corresponding OCID and uses it as the target for the route rule.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

Using the Console

In the Console, click Networking, and then click Virtual Cloud Networks.

A list of the cloud networks in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).

In the Console, click Networking, and then click Virtual Cloud Networks.

A list of the cloud networks in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).

Click the cloud network you're interested in.

Click Route Tables.

Click the route table you're interested in.

Click Edit Route Rules.

If you want to create a new route rule, click + Another Route Rule and enter the following:

Destination CIDR Block: The destination CIDR block for the traffic. A value of 0.0.0.0/0 means that all non-intra-VCN traffic that is not already covered by other rules in the route table will go to the target specified in this rule.

Target: The target. If the target is a private IP, enter its OCID. Or you can enter the private IP address itself, in which case the Console determines the corresponding OCID and uses it as the target for the route rule.

If you want to delete an existing route rule, click the X next to the rule.

If you wanted to edit an existing rule, make your changes to the rule.

Confirm you're viewing the compartment that contains the cloud network that you want to add the route table to. If you've just created the cloud network, you should still be viewing the same compartment. If you click Networking and then click Virtual Cloud Networks, you should see the cloud network. For information about compartments and access control, see Access Control.

Create in Compartment: The compartment where you want to create the route table, if different from the compartment you're currently working in.

Name: A friendly name for the route table. The name doesn't have to be unique, and it cannot be changed later in the Console (but you can change it with the API). Avoid entering confidential information.

Add at least one route rule with the following information:

Destination CIDR Block: The destination CIDR block for the traffic. A value of 0.0.0.0/0 means that all non-intra-VCN traffic that is not already covered by other rules in the route table will go to the target specified in this rule.

Target: The target. If the target is a private IP, enter its OCID. Or you can enter the private IP address itself, in which case the Console determines the corresponding OCID and uses it as the target for the route rule.

Tags: Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.

Click Create Route Table.The route table is created and then displayed on the Route Tables page in the compartment you chose. You can now specify this route table when creating a subnet.

Prerequisite: To delete a route table, it must not be associated with a subnet yet. You can't delete the default route table in a cloud network.

In the Console, click Networking, and then click Virtual Cloud Networks.

A list of the cloud networks in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).

Click the cloud network you're interested in.

Click Route Tables.

For the route table you want to delete, click the Actions icon (), and then click Terminate.

In the Console, click Networking, and then click Virtual Cloud Networks.

A list of the cloud networks in the compartment you're viewing is displayed. If you don’t see the one you're looking for, verify that you’re viewing the correct compartment (select from the list on the left side of the page).

Click the cloud network you're interested in.

Click Route Tables.

Click the route table you're interested in.

Click the Tags tab to view or edit the existing tags. Or click Apply tag(s) to add new ones.